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1. Introductions and apologies 


1.1. Apologies for absence were received from Matthew Atkinson 


and Sid Sidhu. 


2. Declaration of interests 


2.1 No declarations of interest were made. 


3. Matters arising from the previous meeting 


cml 


3.2 


The minutes of the previous meeting were approved as an 


accurate record. 


There were no updates to outstanding actions. 


4. Deputy Chief Executive Officer’s update 


4.1 


4.2 


Paul Arnold provided the Committee with an update on 
matters relating to the Committee's work which were not 
otherwise addressed in the agenda. This included updates on 
EU exit preparations, high priority investigations, statutory 
codes and work with the Department for Culture, Media and 
Sport Select Committee. He also updated on the ICO’s 
expansion, including embedding the values, corporate 
narrative and commitment to service excellence within the 
organisation. 


The Committee discussed the Commissioner’s recent 
appearance at the DCMS Disinformation Sub-Committee, 
which had been hugely positive in enabling the ICO to 
continue developing a strong relationship with members of the 
Committee. 


5. Risk and opportunity management 


5.1 


5.2 


5.3 


Louise Byers introduced a report which set out the current 
position in relation to the ICO’s risk and opportunity 
management. 


Paul Arnold explained that Executive Team had conducted a 
review of the corporate risks earlier that day and had agreed 
that the score for R1 (“the way we exit the European Union, 
and the accompanying uncertainty, impacts on our ability to 
deliver functions...”) could be reduced from 20 to 16. This was 
to reflect the work already completed in preparation for the 
EU withdrawal, along with the extended time period in which 
to prepare for various exit scenarios. The Committee 
discussed this and agreed with the reduction of the risk score. 


Paul Arnold reported that Executive Team had also discussed 
whether the score for R3 (“ICO fails to meeting expectations 
when dealing with its regulatory action priorities in a timely 
and effective way and hence does not meet the wide range of 
stakeholder expectations”) could be reduced from 16 to 12. 


5.4 


This was to reflect, in particular, the work which had been 
completed in relation to oversight of regulatory priorities and 
managing high priority investigations. The Committee also 
agreed with the reduction of the risk score. 


Actions: Chris Braithwaite to update risks R1 and R3 as 
per the reductions agreed at Executive Team. 


The Committee discussed the decision to amalgamate three 
risks into one to form a revised risk R2, particularly whether 
this new risk adequately reflected risks in relation to culture 
and compliance. Paul Arnold explained that the revised risk 
reflected the service excellence work programme, which 
would be main driver to deliver the ICO’s cultural change 
project. However, the risk register would be reviewed to 
ensure that there was an appropriate reflection of risks in 
relation to compliance and culture. This would be included in 
the updated version of the report which would be submitted to 
Management Board. 


Action: Louise Byers to review the risk register to 
ensure that there is appropriate inclusion of risks 
relation to compliance and culture, prior to the report 
being submitted to the Management Board. 


6. ICO governance structures 


6.1 


6.2 


Louise Byers presented a report which set out the ICO’s 
governance structures, following the growth of the 
organisation over the last year. 


The Committee welcomed the report, but requested that 
additional information be included in relation to: the 
composition of each of the governance bodies referred to in 
the report; and the involvement of non-executive directors. 


Action: Louise Byers to update the report to include 
clarity on the involvement of non-executive directors 
and the composition of each body, prior to the report 
being submitted to Management Board. 


7. Funding ICO litigation costs 


7.i 


Paul Arnold presented a report which set out potential 
approaches for funding litigation costs resulting from the 
ICO’s investigations. 


7.2 


7.3 


7.4 


7.5 


The Committee discussed the proposals set out in the report, 
particularly in light of the need for the ICO to be suitably 
resourced to be an effective regulator and the use of a similar 
model by the Competition and Markets Authority. 


The Committee considered the potential of the recommended 
approach to create a reputational risk that the “ICO has a 
financial incentive to take regulatory action”. However, the 
Committee agreed that the process set out, whereby the ICO 
reclaimed the funding rather than directly retaining it, would 
help to mitigate this potential risk. 


The Committee agreed to support the recommendation set 
out in the report. The report would be updated accordingly 
and submitted to Management Board for consideration. 


Action: Paul Arnold to update the report to include 
reference to the Audit Committee’s support of the 
recommendation prior to submission to Management 
Board. 


The Committee agreed that it would be vital to ensure that 
the recommended approach was supported by the NAO. 
However, the use of a similar approach by the CMA, which 
was supported by the NAO, indicated that this should be 
achievable. 


8. Finance 


8.1 


8.2 


8.3 


Andrew Hubert presented a report which set out the ICO’s 
management accounts for March 2019 and the ICO’s budget 
for 2019/20. 


The Committee discussed the overspend on business travel. 
The Committee agreed that there was sufficient reasoning for 
this being overspent, given the need for a significant increase 
in national and international travel in preparation for the UK’s 
EU exit (as well as due to the implementation of GDPR). It 
was important that this information was presented alongside 
public reporting of travel spend, as it demonstrated that the 
additional spending had been vital to deliver the ICO’s duties. 


The Committee discussed whether annual budgeting based on 
projected income continued to be appropriate for the ICO. 
Given the potential for significant variances in spending 
requirements between years as a result of major 


investigations or litigation, the option for a three-year 
budgeting model may be preferable. 


9. Outstanding audit recommendations 


9.1 


9.2 


Chris Braithwaite presented a report which set out the status 
of the outstanding audit recommendations. 


The Committee agreed that the revised target date for the 
outstanding actions for the guidance development audit 
should be October. 


10. Internal audit 


10.1 


10.2 


10.3 


10.4 


Mazars presented a series of reports which set out the 
findings of the following audits: Procurement and contract 
management; IT strategy; Cyber-security (ISO 27001) 
(advisory audit); 2018/19 follow-up audit; 2018/19 annual 
audit report. 


In relation to the procurement and contract management 
audit, management confirmed that the audit finding of limited 
assurance was appropriate. Given the importance of the 
procurement policy (due for completion in June 2019) in 
providing assurance in this area, the Committee agreed that a 
further update should be provided to the Committee’s June 
2019 meeting, to provide information of the recommendations 
from the audit report were being addressed. 


Action: Andrew Hubert to provide an update on 
implementing the recommendations from the 
procurement and contract management audit to the 
Committee's June 2019 meeting. 


The Committee welcomed the proposal for single tender 
procurements to be presented to the Audit Committee and 
agreed that the thresholds for such reports should include 
aggregation of multiple individual single tenders with the 
same contractor. 


The Committee welcomed the management response to the IT 
Strategy audit, as when recommendations were only partially 
accepted by management this should be made clear as part of 
the response. 


11. Internal audit plan 2019/20 


11.1 


11.2 


Mazars presented a report which set out the internal audit 
plan for 2019/20. The Committee agreed that the proposed 
plan for 2019/20 was appropriate. 


The Committee discussed whether the planned audit of 
culture and processes, currently scheduled for 2021/22, 
should be brought forward. The Committee agreed that this 
could be considered following Management Board’s 
discussions of the risk relating to culture (as per item 5 
above). 


12. External audit update 


12.1 
12.2 


12.3 


BDO provided a verbal update on external audit work. 


The Committee noted that this was Heather Dove’s last 
meeting before going on maternity leave. The Committee 
thanked Heather for all of her work in preparing the accounts 
in advance of her maternity leave and gave her their best 
wishes for her leave. 


Andrew Hubert confirmed that an interim Head of Finance 
would be appointed for the duration of Heather’s leave. 


13. 2018/19 ICO annual report 


13.1 


13.2 


13.3 


Chris Braithwaite presented a report which set out early drafts 
of the 2018/19 Audit Committee annual report and the 
“Accountability” section of the 2018/19 ICO annual report. 


The Committee agreed that any assurance which the ICO had 
given to the DCMS’s Audit Committee during the year should 
be included in the annual report. 


Action: Chris Braithwaite to update the annual report to 
include reference to assurance given by the ICO to the 
DCMS’s Audit Committee. 


The Committee also agreed that the Audit Committee’s annual 
report should include updates on progress towards achieving 
the outstanding audit recommendations. 


Action: Chris Braithwaite to update the Audit 
Committee annual report to include updates on 
progress towards achieving outstanding audit 
recommendations. 


14. Fraud, whistleblowing and security 


14.1 Chris Braithwaite presented a report which provided an 
update on fraud, whistleblowing and security over the last 
quarter. 


15. NAO Guidance 


15.1 Chris Braithwaite presented a report which provided the 
Committee with the NAO’s March 2019 Round-up for Audit 
Committees. 


16. Any other business 


16.1 There were no items of other business. 


